A couple of small thoughts about improving usability and security of payment web-forms
Occasionally, when faced with various payment forms on sites intended for entering card data, I often wonder why many have a list with a choice of expiration date card (Expiration Date) contains garbage, and the secret code entry field (CVV2 / CVC2) does not protected. Of course, the problems seen and problems will be considered by no means all, but I would still like to hear the opinions of those who think that this is normal.
The problem with the selection list of the year of expiry of the card is that on quite a few sites this field contains outdated values: 2011, 2012 and now already 2013. Obviously, payment by an overdue card will not work anyway, but this will probably increase the likelihood of a user’s error in filling out the form, although, of course, it is not proportional. But it looks weird.
However, outdated values of the year are still less common than the problem with the CVV2 / CVC2 field.
In the vast majority of payment forms that I personally met, this field is simple (text) and not protected (password). That is, privacy is not ensured at the level of hiding on the screen data entered from the keyboard. Of course, many banks are now introducing two-factor authentication via 3-D Secure, but there are still many where you can make a payment simply by entering all the data without additional confirmation of the user's identity.
')
If the first problem is in general not very critical and is caused only by the lack of desire to edit the form each year or to implement additional checks for the current date in it, then here’s the story of the almost total lack of protection of CVV2 / CVC2 from simple spying. is clear.
Surely there are specialists here, including those who participated in the development of payment web-forms interfaces. It would be interesting to know how this is considered a problem in their environment and why. After all, there must be some rational explanation for this.
The problem with the selection list of the year of expiry of the card is that on quite a few sites this field contains outdated values: 2011, 2012 and now already 2013. Obviously, payment by an overdue card will not work anyway, but this will probably increase the likelihood of a user’s error in filling out the form, although, of course, it is not proportional. But it looks weird.
However, outdated values of the year are still less common than the problem with the CVV2 / CVC2 field.
In the vast majority of payment forms that I personally met, this field is simple (text) and not protected (password). That is, privacy is not ensured at the level of hiding on the screen data entered from the keyboard. Of course, many banks are now introducing two-factor authentication via 3-D Secure, but there are still many where you can make a payment simply by entering all the data without additional confirmation of the user's identity.
')
If the first problem is in general not very critical and is caused only by the lack of desire to edit the form each year or to implement additional checks for the current date in it, then here’s the story of the almost total lack of protection of CVV2 / CVC2 from simple spying. is clear.
Surely there are specialists here, including those who participated in the development of payment web-forms interfaces. It would be interesting to know how this is considered a problem in their environment and why. After all, there must be some rational explanation for this.
Source: https://habr.com/ru/post/208486/
All Articles